We did not accept Yahoo’s assertion that each reasonable person would understand the “Stay signed in” setting to be “on” by default, or that the additional safeguards it explained to our Office were adequate to mitigate the risk to a user who inadvertently stays signed in on a shared or public computer. Noting that emails may contain highly sensitive personal information, we would expect robust safeguards against unauthorized access. The complainant alleged that the Yahoo! Canada (“Yahoo”) setting whereby Yahoo Mail users (the “users”), and in particular Rogers Yahoo Mail users, stayed signed in by default posed great privacy concerns for users accessing their email on a public or shared computer.Īt the outset of the investigation, we noted that Rogers Yahoo Mail customers agreed to Yahoo’s Terms of Service, and Yahoo was responsible for the mechanism by which Rogers Yahoo Mail users logged into their email accounts.Īs a result, we focused our investigation on whether Yahoo was, via its “Stay signed in” setting: (i) adequately safeguarding against unauthorized third-party access to the content of users’, including Rogers Yahoo Mail users’, emails on a public or shared computer and (ii) obtaining valid consent for its disclosure of personal information to others who subsequently access those emails. An organization that implements a “stay signed-in” feature should, among other things, provide users with prominent and clear language regarding the potential privacy implications of enabling the feature, including the potential for a subsequent user on the same device to gain unintended access to the users’ emails.Such safeguards would generally include a requirement that users opt-in to the setting. Noting that emails may contain highly sensitive personal information, organizations must have robust safeguards against unauthorized access.
Emails can contain highly sensitive personal information (health or financial information, intimate content, private opinions, sexual orientation, etc.), which if revealed, could cause grave harm to an individual’s reputation, finances (via identity theft) or even safety.The complainant alleged that the Yahoo! Canada setting whereby Yahoo Mail users, and in particular Rogers Yahoo Mail users, stayed signed in by default posed great privacy concerns for users accessing their email on a public or shared computer. Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”) Description
0 kommentar(er)
